[Samba] Access denied using IP when joined in MS domain with RODC

samba.50.mward2014 at spamgourmet.com samba.50.mward2014 at spamgourmet.com
Sat Jan 11 12:07:01 MST 2014


The problem I have is a little strange and is due to the configuration of our Active Directory.  The following symptoms occur with the following setup.  I will provide more details on the setup later.

Microsoft Windows 2012 DC domain controller (ad1.local)
Microsoft Windows 2012 RODC read only domain controller (public.ad1.local)
Ubuntu 12.04 with Samba 3.6.3 (mizb-nas01)

The ubuntu/Samba server has been joined into the domain.
The DC is firewalled off from all computers except the RODC
The ubuntu/samba server is configured to use the RODC.  The samba server is prevented from accessing the DC.
The Ubuntu/Samba server is only a member of the domain.

When a client accesses the ubuntu/samba server with the netbios/fqdn I have no problems.  AD security and file access works.  I have problems accessing the ubuntu/samba server with the ip address or with a DNS A record pointing to the same IP address.

What I am expecting to accomplish is the ability to setup a DNS A record that will be used to access the Ubuntu/Samba server.

>From a Windows computer (Windows 2012 Server) when I execute the following command with the IP of the Samba server I get the following error.

> net view \\10.0.40.10
System error 5 has occurred.
Access is denied.

>From the same Windows computer when I execute the following command using the Samba server's netbios name or fully qualified name the command does not fail and I get what I am expecting to see.

>net view \\mizb-nas01
Shared resources at \\mizb-nas01
mizb-nas01 server (Samba, Ubuntu)
Share name  Type  Used as  Comment
-------------------------------------------------------------------------------
ad1.files        Disk
The command completed successfully.

>From the same Windows computer when I browse in File Explorer to the Samba server using the server's IP address I get the following error.
"\\10.0.40.10 is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.
The security database on the server does not have a computer account for this workstation trust relationship."

>From the same Windows computer when I browse in File Explorer to the Samba server using the netbios name or fully qualified name I am able to see and access the shares.

Now, if I open the firewall and let the ubuntu/Samba server access the DC the previous commands will work using ip, netbios, or dns A record.  It is only when the DC firewall rules are put into place that i cannot access the ubuntu/samba server via IP or dns A record.

Some diagnostics.  If I execute wbinfo -u or -g I am able to obtain a list of the domain users and groups with or without access to the DC.

More information on the setup.

The ports from the Ubuntu/Samba to the RODC open
TCP: 53  88, 135, 389, 445, 749, 3268, 5722, 49152-65535
UDP: 53, 123, 389


===========================================================================
Configuration

--------------------------------------
/etc/krb5.conf
--------------------------------------
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        default_realm = AD1.LOCAL
[realms]
        AD1.LOCAL = {
                default_domain = ad1.local
#----- RODC ---------
                kdc = public.ad1.local:88
                admin_server = public.ad1.local:749
#----- RWDC ---------
#rwdc           kdc = ad1.local:88
#rwdc           admin_server = ad1.local:749
        }
[domain_realm]
        ad1.local = AD1.LOCAL


--------------------------------------
/etc/samba/smb.conf
--------------------------------------

[global]
        log file = /var/log/samba/log.%m
        load printers = no
        encrypt passwords = yes
        realm = AD1.LOCAL
        passdb backend = tdbsam
        netbios name = mizb-nas01
        cups options = raw
        workgroup = AD1
        os level = 0
        security = ads
        max log size = 1000
        winbind enum users = yes
        winbind enum groups = yes
        client ldap sasl wrapping = sign
        server string = %h server (Samba, Ubuntu)
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        log level = 2
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        wins support = no
        domain master = no
        preferred master = no
#---- RODC ----
        wins server = public.ad1.local
        password server = public.ad1.local
#---- RWDC ----
#rwdc   wins server = ad1.local
#rwdc   password server = ad1.local
        map to guest = bad user
#============= SHARES ============================================
[ad1.files]
        valid users = @"AD1\domain users"
        writeable = yes
        create mode = 777
        path = /data/cifs/ad1.local/files/
        directory mode = 777

--------------------------------------
/etc/nsswitch.conf
--------------------------------------
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

------------------------------------------------------------------------------


The follwing are log entries of interest.
log level = 2

/var/log/samba/
---------------------------------------
log.winbindd
---------------------------------------
[2014/01/10 19:39:40,  0] winbindd/winbindd.c:1336(main)
  winbindd version 3.6.3 started.

[2014/01/10 19:39:44.608433,  1] winbindd/winbindd_util.c:294(trustdom_list_done)
  Could not receive trustdoms

---------------------------------------
log.nmbd
---------------------------------------
[2014/01/10 19:39:53,  0] nmbd/nmbd.c:860(main)
  nmbd version 3.6.3 started.

[2014/01/10 19:40:08,  2] nmbd/nmbd_elections.c:202(run_elections)
  run_elections: >>> Won election for workgroup AD1 on subnet 10.0.40.10 <<<
[2014/01/10 19:40:08,  2] nmbd/nmbd_become_lmb.c:538(become_local_master_browser)
  become_local_master_browser: Starting to become a master browser for workgroup AD1 on subnet 10.0.40.10
[2014/01/10 19:40:14,  2] nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP 10.0.40.10
[2014/01/10 19:40:14,  2] nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.89.10 timed out registering IP 10.0.40.10
[2014/01/10 19:40:14,  2] nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP 10.0.40.10
[2014/01/10 19:40:14,  2] nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.89.10 timed out registering IP 10.0.40.10
[2014/01/10 19:40:14,  2] nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP 10.0.40.10
[2014/01/10 19:40:16,  0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****

  Samba name server MIZB-NAS01 is now a local master browser for workgroup AD1 on subnet 10.0.40.10

  *****
[2014/01/10 19:40:37,  0] nmbd/nmbd_browsesync.c:351(find_domain_master_name_query_fail)
  find_domain_master_name_query_fail:
  Unable to find the Domain Master Browser name AD1<1b> for the workgroup AD1.
  Unable to sync browse lists in this workgroup.

---------------------------------------
log.wb-AD1
---------------------------------------
[2014/01/10 19:39:44.570318,  2] libsmb/cliconnect.c:1433(cli_session_setup_kerberos_send)
  Doing kerberos session setup
[2014/01/10 19:42:04.024728,  2] winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
[2014/01/10 19:42:05.084260,  2] winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
[2014/01/10 19:42:05.909198,  2] winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)

---------------------------------------
log.mizb-rdpgateway
---------------------------------------
[2014/01/10 19:42:04.025091,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [mark.ward] -> [mark.ward] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2014/01/10 19:42:05.084552,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [mark.ward] -> [mark.ward] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

---------------------------------------
log.winbindd-dc-connect
---------------------------------------
*contains 0 bytes*


More information about the samba mailing list